--- - name: Prepare, test fixtures hosts: localhost connection: local gather_facts: false tasks: - name: Initialise CA hierarchy command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" argv: - "gimmecert" - "server" - "{{ item.name }}" - "{{ item.fqdn }}" - "{{ item.fqdn[: item.fqdn.rfind('-')] }}" with_items: - name: clamav-database_https fqdn: database.clamav.net - name: ldap-server_ldap fqdn: ldap-server - name: parameters-mandatory-bookworm_imap fqdn: parameters-mandatory-bookworm - name: parameters-mandatory-bookworm_smtp fqdn: parameters-mandatory-bookworm - name: parameters-optional-bookworm_imap fqdn: parameters-optional-bookworm - name: parameters-optional-bookworm_smtp fqdn: parameters-optional-bookworm - name: Set-up link to generated X.509 material file: src: ".gimmecert" dest: "tests/data/x509" state: link - name: Prepare hosts: all become: true gather_facts: false tasks: - name: Install python for Ansible raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives apt: update_cache: true changed_when: false - name: Install tools for testing apt: name: - gnutls-bin - nmap state: present - name: Prepare, helpers, local ClamAV database mirror (avoid upstream rate limits) hosts: clamav-database become: true tasks: - name: Install system packages for hosting the ClamAV database apt: name: - nginx - virtualenv state: present - name: Set-up directory for ClamAV database sync tool virtual environment file: path: /var/lib/cvdupdate state: directory owner: vagrant group: vagrant mode: "0755" - name: Create virtual environment for running ClamAV database sync tool become: true become_user: vagrant command: cmd: "/usr/bin/virtualenv --python /usr/bin/python3 --prompt '(cvdupdate) ' /var/lib/cvdupdate" creates: "/var/lib/cvdupdate" - name: Deploy pip requirements file for running the ClamAV database sync tool copy: src: cvdupdate-requirements.txt dest: /var/lib/cvdupdate/requirements.txt owner: vagrant group: vagrant mode: "0644" - name: Install requirements in the pipreqcheck virtual environment become: true become_user: vagrant pip: requirements: /var/lib/cvdupdate/requirements.txt virtualenv: /var/lib/cvdupdate - name: Allow traversal of Vagrant directory by the http server user file: path: /vagrant/ mode: "0711" - name: Create directory for storing ClamAV database files file: path: /vagrant/clamav-database state: directory owner: vagrant group: vagrant mode: "0755" - name: Configure default location for storing ClamAV database files # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare step. become: true become_user: vagrant command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/" - name: Download/update the ClamAV database files # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. become: true become_user: vagrant command: "/var/lib/cvdupdate/bin/cvd update" - name: Allow all users to read ClamAV database files file: path: "/vagrant/clamav-database/" mode: "g=u-w,o=u-w" recurse: true - name: Deploy nginx TLS private key copy: dest: "/etc/ssl/private/nginx_https.key" content: "{{ clamav_database_http_server_tls_key }}" mode: "0640" owner: root group: root notify: - Restart nginx - name: Deploy nginx TLS certificate copy: dest: "/etc/ssl/certs/nginx_https.pem" content: "{{ clamav_database_http_server_tls_certificate }}" mode: "0644" owner: root group: root notify: - Restart nginx - name: Deploy nginx configuration for serving the ClamAV database files copy: src: clamav-database-nginx.conf dest: /etc/nginx/sites-available/default owner: root group: root mode: "0644" notify: - Restart nginx handlers: - name: Restart nginx service: name: nginx state: restarted - name: Prepare, test fixtures hosts: bookworm become: true tasks: - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter blockinfile: path: "/etc/ssl/openssl.cnf" block: | [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.1 CipherString = DEFAULT@SECLEVEL=0 owner: root group: root mode: "0644" state: present - name: Set-up the hosts file lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" owner: root group: root mode: "0644" state: present with_dict: # Force mail servers to use local ClamAV database mirror. 192.168.56.11: "db.local.clamav.net database.clamav.net" 192.168.56.12: "ldap-server backup-server" 192.168.56.21: "client1 smtp-server-requiring-tls" 192.168.56.22: "client2 smtp-server-refusing-tls" 192.168.56.31: "parameters-mandatory parameters-mandatory-bookworm" 192.168.56.32: "parameters-optional parameters-optional-bookworm" - name: Prepare, helpers hosts: client become: true tasks: - name: Install tool for testing SMTP capability apt: name: swaks state: present - name: Install tool for testing IMAP block: - name: Install required system packages apt: name: python3-venv state: present - name: Set-up dedicated Python virtual environment for running the tool command: "python3 -m venv /opt/imap-cli" args: creates: /opt/imap-cli/bin/python - name: Install IMAP CLI pip: name: - Imap-CLI==0.7 - six state: present virtualenv: /opt/imap-cli - name: Set-up symlinks for running the tool file: src: "/opt/imap-cli/bin/{{ item }}" dest: "/usr/local/bin/{{ item }}" owner: root group: root state: link with_items: - imapcli - imap-cli-flag - imap-cli-delete - imap-cli-copy - imap-api - imap-shell - imap-notify - imap-cli-status - imap-cli-search - imap-cli-read - imap-cli-list - name: Install tool for testing SIEVE apt: name: sieve-connect state: present - name: Install tool for testing TCP connectivity apt: name: hping3 state: present - name: Deploy IMAP CLI configuration copy: src: "tests/data/{{ item }}" dest: "/home/vagrant/{{ item }}" owner: vagrant group: vagrant mode: "0600" with_items: - imapcli-parameters-mandatory-john_doe.conf - imapcli-parameters-mandatory-jane_doe.conf - imapcli-parameters-optional-john_doe.conf - imapcli-parameters-optional-jane_doe.conf - name: Deploy CA certificate copy: src: tests/data/x509/ca/level1.cert.pem dest: /usr/local/share/ca-certificates/testca.crt owner: root group: root mode: "0644" notify: - Update CA certificate cache - name: Install and configure Postfix for testing mail sending from managed servers block: - name: Install Postfix apt: name: postfix state: present - name: Purge Exim apt: name: "exim4*" state: absent purge: true - name: Configure Postfix template: src: "helper_smtp_main.cf.j2" dest: "/etc/postfix/main.cf" owner: root group: root mode: "0644" notify: - Restart Postfix - name: Enable Postfix service service: name: postfix state: started enabled: true handlers: - name: Update CA certificate cache # noqa no-changed-when command: /usr/sbin/update-ca-certificates --fresh # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. - name: Restart Postfix service: name: postfix state: restarted - name: Prepare, helpers hosts: ldap-server become: true roles: - ldap_server - backup_server - name: Prepare, test fixtures hosts: ldap-server become: true tasks: - name: Create LDAP accounts for testing ldap_entry: dn: "{{ item.dn }}" objectClass: "{{ item.objectClass }}" attributes: "{{ item.attributes }}" with_items: # Users. - dn: uid=john,ou=people,dc=local objectClass: - inetOrgPerson - simpleSecurityObject attributes: userPassword: johnpassword uid: john cn: John Doe sn: Doe mail: john.doe@domain1 - dn: uid=jane,ou=people,dc=local objectClass: - inetOrgPerson - simpleSecurityObject attributes: userPassword: janepassword uid: jane cn: Jane Doe sn: Doe mail: jane.doe@domain2 - dn: uid=nomail,ou=people,dc=local objectClass: - inetOrgPerson - simpleSecurityObject attributes: userPassword: nomailpassword uid: nomail cn: No Mail sn: Mail mail: nomail@domain1 # Domains - dn: dc=domain1,ou=domains,ou=mail,ou=services,dc=local objectClass: dNSDomain attributes: dc: domain1 - dn: dc=domain2,ou=domains,ou=mail,ou=services,dc=local objectClass: dNSDomain attributes: dc: domain2 # Aliases - dn: cn=postmaster@domain1,ou=aliases,ou=mail,ou=services,dc=local objectClass: nisMailAlias attributes: cn: postmaster@domain1 rfc822MailMember: john.doe@domain1 - dn: cn=webmaster@domain2,ou=aliases,ou=mail,ou=services,dc=local objectClass: nisMailAlias attributes: cn: webmaster@domain2 rfc822MailMember: jane.doe@domain2 - name: Add test accounts to correct group ldap_attr: dn: "cn=mail,ou=groups,dc=local" name: uniqueMember state: exact values: - uid=john,ou=people,dc=local - uid=jane,ou=people,dc=local - name: Prepare, test fixtures hosts: parameters-mandatory,parameters-optional become: true tasks: - name: Create group for user used for local mail delivery testing group: name: localuser - name: Create user for local mail delivery testing user: name: localuser group: localuser